Let me suggest a situation where perhaps I would like to bring up an IKE_SA and not a CHILD_SA: it might be for just sending initial contact, and perhaps even a DELETE.
I sometimes move quickly from being "outside" my IPsec gateway/firewall (such as being on wireless), to being wired behind the gateway, where I do not need IPsec. The DPD doesn't kick off fast enough, and my traffic goes to where I am no longer. It would be nice to bring up the IKE_SA (or... haha, resume it), just so that I can send a delete and/or initial_contact. Seems like to do this, once needs to include a known-to-be-unacceptable CHILD_SA proposal. -- ] Y'avait une poule de jammé dans l'muffler!!!!!!!!! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
